It is a member of the Win32/Vundo family that deliver out-of-context pop-up advertisements.

What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

We have seen TrojanDownloader:Win32/Vundo.J arrive on your computer with an icon and version information that differs between samples. It is an executable file with a random name, such as the following:

A0052127.exe

Dc13.exe

TXT.exe

The trojan is run for the first time when you open or run the executable file.

We have observed different installations of TrojanDownloader:Win32/Vundo.J using the following version information, which will display in Windows Explorer in the Tiles view. The trojan may use these names as a form of social engineering to encourage you to open or run the file:

Borland Remote Debugging Server

ESET Smart Security

Symantec Shared Component

We have also observed the trojan using the following icons which the malware authors may have copied from legitimate programs:

When first run, TrojanDownloader:Win32/Vundo.J drops a randomly named DLL file into the <system folder>.

This DLL file is also detected as TrojanDownloader:Win32/Vundo.J.

The malware sets the DLL to be loaded into every Windows-based program every time your computer starts by making the following registry modification: